Yeah, baby! We’re Agile now!

Well, step 1 is that you have to figure out why you want to be “agile” in the first place. And “because it’s kool, man!” or “because everyone’s doin’ it, dude!” aren’t acceptable answers.

Now, if you’re one of the original 17 authors of the Agile Manifesto, you were just looking for a better way of delivering quality software that people wanted. Andy Hunt (one of the 17) describes it this way:

“I think it provided a jolt of energy, hope of a better way of doing things, of creating software and making the world work better.”

And if you go back to the HBR article I mentioned earlier, the origins of Scrum were forged in the heat of trying to deliver consumer products quickly and flexibly in a business environment undergoing a step-change of:

Intensified competition

A splintered mass market

Shortened product lifecycles

Advances in technology and automation

Meaning, that if the expected lifetime of a $70M consumer product is 18 months, and it’s 3 months late being delivered because of poor planning, then you need to generate a million more in revenue per month than you’d originally planned—and that’s just to break even!

I bet that wasn’t part of your marketing plan, now was it?

So if you’re a security leader, you’re also faced with a dizzying array of changes to your world every day:

More sophisticated (and freely-available) attacks

More complexity in your technology environments

More vulnerabilities due to more products due to the above complexity

More integration between “internal” business information and systems and the “external” systems that interact with the Internet

Less control over your environments thanks to cloud

And those changes are driving you to find better solutions. But innovating the way you work is hard. It requires smart people…and it requires giving them time to think about big problems.

But you don’t have time. You’ve got the Great Horde of APTs pounding on your doors and probably already inside your “walls”.

And we get so caught up in the practices and tactics of “best practices” so that we can show we’re doing things “by the book”, we don’t have time to tackle the hard stuff of real change.

Identify a problem. Make a decision. Implement the decision. See what happens. Identify where it didn’t quite work out. Make another decision.

It’s easy to read, but hard to do. It requires you to think. To deal with uncertainty and probably get it wrong.

And that “Identify where it didn’t quite work out” part is what often gets the short straw. Unfortunately…that’s where the magic is of the whole thing.

But if we want security to “work better” in Andy’s words, we need to really spend time to figure out what’s not working and be prepared to make some changes. And those changes probably aren’t going to be popular, and they are going to be criticized and ridiculed by “the experts” because, well…

“You’re doing it wrong. Don’t you know ‘Agile’ is doing A, B and C?”

But it isn’t. Those are just tactics.

And far, far, FAR too often, we take the tactics as gospel and miss the point.

Agile is a mindset, and it’s a way of operating so you can respond to change and you can deal with uncertainty.

And, to me, that’s what “security” is supposed to do, right?

Isn’t our job to be able to be resilient and responsive to changes in the environment…to deal with the uncertainty of “what might happen next”…

…so we can give confidence to those we support that, “Hey, things are gonna be OK.”

And mean it—because we believe it ourselves.

It’s easy to confuse tactics with a philosophy, because they’re tangible, and we can see them.

But the tactics will – and should – come and go as the world they’re designed to address changes.

You can teach a chimpanzee…or a dog…or even a cat tactics and techniques. But you can’t teach them a philosophy or a mindset…a way of thinking and being.

Agile is what you are. It’s not what you do.

And what you are is about the value you create.

So if you want to truly create a sense of security and confidence in your organization,

…you’ll want to make sure you don’t miss the August issue of the Security Sanity™ newsletter where I talk about a way to do exactly that.

It’s only on sale for the next 3 weeks or so, and after that, it probably won’t be available again—even if I do decide to someday offer back issues.

This is pretty fundamental stuff, and you can make sure you get your copy here:

P.S. Here’s something you can do if you liked today’s post: you can sign up for those daily emails that annoying pop-up keeps asking you about. Or, if you want to know more about what you’re going to get if you do and how it works, then just go knock on the front door: https://archistry.com and you’ll get the whole deal.

Or…you can just keep reading the blog, or ignore me and Archistry all together. I’m good either way.

EMAIL NEWSLETTER

Want to get DAILY email tips on how to build a more effective security program so you can prove your security investments deliver value to the business?

Your nameYour best email

I understand and agree that when I sign up above, I will be added to a marketing mailing list where I will receive DAILY security leadership tips and promotional offers from Andrew S. Townley according to the terms of Archistry's privacy policy and site terms and conditions.

You can always unsubscribe at any time, and we won't sell your data to third parties.

About Us

Archistry works with you to ensure what you want to achieve actually gets done, linking strategy, risk, governance and compliance to enable sustained exceptional performance Read More…

Testimonials

Andrew is a highly skilled and experienced information systems
architect and consultant, which in my view is a rare thing. He is
innovative in his thinking and merits the title of 'thought
leader' in his specialist domains of knowledge—in particular the
management of risk. Andrew has embraced SABSA as a framework and,
in doing so, has been a significant contributor to extending the
SABSA body of knowledge."

— John Sherwood, Chief SABSA Architect

"Fabulous person to work with. Very engaging and insightful. Extremely
good technical knowledge with ability to relate concepts together and
overcome differing opinions. Makes things work."

"Andrew was able to bring clarity and great depth of knowledge to the
table. His breadth of thinking and understanding of the business
and technical issues along with a clear and effective
communication style were of great benefit in moving the process
forward towards a successful conclusion."

— Doug Reynolds, Product Manager, MobileAware

"Andrew is a fabulous consultant and presenter that you simply
enjoy listening to, as he manages to develop highly sophisticated
subjects in very understandable way. His experience is actually
surprising and his thoughts leave you without considerable
arguments for any doubts in the subjects he covers."